Tens of millions of HP LaserJet printers vulnerable to remote hacking

It seems, though HP is yet to confirm it, that researchers from Columbia University have found a security hole in “tens of millions” of HP LaserJet printers that allows a remote hacker to install new and dangerous firmware on the device. In one example, the researchers used the vulnerability to hack a printer’s fuser — the heating element that bonds the toner pigment to the paper — causing the paper to turn brown and begin to smoke.

The attack vector is depressingly simple: Every time a vulnerable LaserJet printer accepts a print job, it scans that job to see if it includes a firmware update. Unvelievably, the printer doesn’t then check the source of the update; HP doesn’t digitally sign its updates, and the printer isn’t looking for HP’s signature. In other words, you can reverse engineer one of HP’s firmware updates, program your own, and then insert it into a print job. You can install whatever software you like on millions of network- and internet-connected LaserJet printers.

Beyond the terrifying burning-paper example, Columbia also showed some hacked firmware that detected when a tax return was being printed, and then extracted the Social Security number and forwarded it to a Twitter feed. Really, though, the possibilities of what a hacked printer could do are endless; it’s effectively just another computer on the network. You could make a botnet out of hacked printers, even.

Now, at first this might sound like a local vulnerability — many printers are connected to the internet via the LAN, but they’re hidden behind NAT and hard to reach — but what if an employee at a company is spear-phished with a hacked-firmware-laden PDF or DOC? The main problem, though, is that HP and its customers have no real way of patching this hole. There’s no global update that HP can trigger. Even worse, there’s no way for companies to tell if their printers have been hacked. The only real solution would be to replace every printer in the office. It’s worth noting that other (non-HP) printers, copiers, and all-in-one thingamajigs are probably vulnerable to a similar attack, too.

To be honest, we shouldn’t be surprised that such a hole exists; depressed, perhaps, but not surprised. You might not be aware, but almost every network- or internet-connected device, from a car’s on-board telematics to a self-aware refrigerator, is a computer — as in a processor, network interface, some memory, and an operating system. In the case of printers, it’s usually a computer running VxWorks or an embedded version of Linux. These devices, like your Android phone, Linux server, or Windows PC, are just as vulnerable to malware, viruses, and SQL injection. As you know, manufacturers generally take shortcuts to get their products to market sooner — and if there has never been a known case of the device being exploited, such as the case with printers, you can see why HP might skimp when it comes to security measures.

It’s a very similar story to the hackable insulin pump or opening a car door via SMS. It’s not hard to secure these systems, it just doesn’t seem like a worthwhile activity until a security researcher shows a proof-of-concept attack — and then everyone moves very, very rapidly to patch the hole before the metaphorical ship sinks. The problem here, though, is that most cases of “security through obscurity” occur in rare, off-the-grid devices. There might only be a few thousand wireless insulin pumps in the world, and they’re not connected to the internet. HP has sold 100 million LaserJet printers since 1984, and they’re all connected to the internet or a computer.

Update @ 15:44 ET:HP has posted a response on the situation. Basically, it suggests that every LaserJet printer has a “thermal breaker,” which would prevent paper (or the printer?) from catching fire. The rest of the release basically confirms that there’s a gaping security hole and that they’re working on a firmware fix. With no centralized update service, though, it’s safe to assume that unpatched printers will be around for years to come.

[Image credit: Chris Hills — and that’s an InkJet, not a LaserJet, incidentally]

Tagged In

Welcome to the new world. A place where your refrigerator can be shutdown on the whim of a 13 year old in china and your house set ablaze cause a printer manufacturer wanted a new selling point on their list of features while valuing cheap, quick, and easy with no mind to securing the damn thing.

Seriously, the kind of security this damn thing would use is a solved problem. Why is it missing, precisely?

Gustavo Lopez

“The only real solution would be to replace every computer in the office.”

….Really?

http://www.mrseb.co.uk Sebastian Anthony

I meant printer, of course :) Thanks.

Gustavo Lopez

“The only real solution would be to replace every computer in the office.”

….Really?

http://profiles.google.com/icthustechnology corey ames

This is brilliant! I mean that both sarcastically for the vendors as well as giving credit to the researcher. But remember this does not just affect HP printers, as most laser printers will accept firmware updates. And don’t forget the multi-function inkjet printers that are also vulnerable. Malware writers can infect printers with a bot that will infect all computers on a network. They can infect a COPIER to do the same things as well as upload the contents of the hard drive of the copier to the bad guys or utilize the hard drive as large storage for their malevolent purposes. It tends to boggle the imagination on the endless possibilities for these vulnerabilities. Technicians will “cash in” on the action by making sure their customers printers are patched.

Thanks for taking the time to comment :) I actually updated the story after reading your post, to include the fact that other devices could be affected!

Anonymous

It’s an interesting story but it would have been nice if the picture of the burning printer was a LaserJet instead of a DeskJet (inkjet) which have no fusers and cannot “burst into flames” because of a non-existant fuser overheating.

http://www.mrseb.co.uk Sebastian Anthony

If you can find a big photo of a LaserJet bursting into flames, let me know.

http://pulse.yahoo.com/_5I2ZAJE7UFYHBSWWQ2ORNXECHY Johnson

okay.

Anonymous

Hi Sebastion, I guess that was sort of my point. The story is interesting and I am not saying whether or not the research is valid but if there is no evidence (picture) of a printer bursting into flame then it’s sort of like the old “Cold Fusion” story. “We did it but we can’t prove it”.

http://geek.com sal cangeloso

There used to be a really cool term for the mythical virus or hack that would create some sort of hardware damage (usually a fire) on a remote system. The myth normally concerned the shutting off of cooling fans which would lead to overheating and, supposedly, a fire.

Can anyone recall the term? Been trying to remember it all day.

http://www.mrseb.co.uk Sebastian Anthony

Hah, been wondering about that too. I remember some virus, perhaps theoretical, that could oscillate the frequency on a CRT monitor and cause it to explode/burn out? Remember seeing it on Slashdot or something…

Alabama Mike

I can remember only one way to ruin hardware with software. Old MFM and RLL hard drives needed to be “parked” before shutting down. Parking consisted of moving the read/write heads to a part of the disk where they could touch and not ruin data. When the first IBM PS2 machine came out, the park command could be used on the 3 1/2 floppy drive as well. It would repeatedly bang the drive arm against a metal stop until the arm bent and the floppy drive was ruined.

Joel Hruska

A place where your refrigerator can be shutdown on the whim of a 13 year old in china and your house set ablaze cause a printer manufacturer wanted a new selling point on their list of features while valuing cheap, quick, and easy with no mind to securing the damn thing.
I envy the person who has time to worry about problems like this. I really do.

http://www.mrseb.co.uk Sebastian Anthony

But hey, at least RL violence/crime is down.

The first real cyber war is going to be interesting though, that’s for sure :)

http://profiles.yahoo.com/u/DBNMGVDYK6MFUBYDSWBQCFD4JA The Anti-Obama

This is bullcrud. That printer pictured is an inkjet printer…looks like the 990cxi…

http://blog.obelisk.ro oxygen

Would someone like to mention all iOS devices getting owned by vulnerabilities, since their launch, ’till today? You could be walking around with a “jailbroken” device and not even know it :))

adrienne luther

Shall i say that kind of attack is not really smart? it actually depends on the hardware defect, when a printer is not behind a firewall( which also needs a specific version btw)
it could have been better if they can override the thermal override or hack the supply of hp laser toner cartridges..

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2016 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.